System and method for reporting packet characteristics in a network environment

ABSTRACT

A method is provided in one example and includes receiving a request to initiate a communication flow associated with a subscriber and identifying one or more parameters to be monitored for the communication flow. The method further includes extracting one or more bits from packets associated with the communication flow; the bits are used to determine an operating system associated with the communication flow. A policy decision can be executed for the communication flow based on the operating system associated with the communication flow. In more specific examples, the bits are sent to a next destination in response to a threshold being reached for at least one of the parameters. The parameters can be associated a volume parameter or a time parameter. The policy decision could include blocking traffic associated with the subscriber, initiating billing, redirecting the communication, managing a quality of service level for the communication flow, etc.

TECHNICAL FIELD

This disclosure relates in general to the field of communications and, more particularly, to reporting packet characteristics in a network environment.

BACKGROUND

Networking architectures have grown increasingly complex in communication environments. As the subscriber base of end users increases and/or becomes mobile, proper routing and efficient management of communication sessions and data flows becomes critical. Typically, subscribers seek to access content from various locations in the network. Subscribers may be provided connectivity or services based on some type of policy or agreement that involves a service provider. The service provider relationship commonly dictates the terms under which subscribers operate in the network. The ability to properly manage policies and financial commitments for the subscriber presents a significant challenge to system designers, component manufacturers, network operators, and system administrators.

BRIEF DESCRIPTION OF THE DRAWINGS

To provide a more complete understanding of the present disclosure and features and advantages thereof, reference is made to the following description, taken in conjunction with the accompanying figures, wherein like reference numerals represent like parts, in which:

FIG. 1 is a simplified block diagram of a communication system for reporting packet characteristics in a network environment in accordance with one embodiment of the present disclosure;

FIG. 2 is a simplified flow diagram illustrating potential operations associated with the communication system;

FIG. 3 is a simplified flow diagram illustrating alternative operations associated with the communication system; and

FIG. 4 is a simplified block diagram illustrating an alternative configuration for the communication system.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

Overview

A method is provided in one example embodiment and includes receiving a request to initiate a communication flow associated with a subscriber and identifying one or more parameters to be monitored for the communication flow. The method further includes extracting one or more bits from packets associated with the communication flow; the bits can be used to determine an operating system associated with the communication flow. A policy decision can be executed for the communication flow based on the operating system associated with the communication flow. In more specific examples, the bits are sent to a next destination in response to a transmission control protocol (TCP) signature trigger being matched. The policy decision could include blocking traffic associated with the subscriber, initiating billing for the communication flow, redirecting the communication flow to a next destination, managing a quality of service level for the communication flow, etc. In more particular embodiments, the bits are part of a SYN packet (e.g., within a TCP header, a packet option, a packet flag, a TCP field, etc.).

Example Embodiments

Turning to FIG. 1, FIG. 1 is a simplified block diagram of a communication system 10 for reporting packet characteristics in a network environment. FIG. 1 may include a subscriber 12, a service gateway 14, a radio access network (RAN) 16, multiple serving general packet radio service (GPRS) support nodes (SGSNs) 18 a and 18 b, and an Internet protocol (IP) network 20. Additionally, communication system 10 may include multiple gateway GPRS support nodes (GGSNs) 32 a and 32 b. In addition, service gateway 14 may include a loggen element 24, a known user table (KUT) 26, and multiple traffic processors 36, which have a logical connection to a control processor 38. Service gateway 14 may additionally include a packet signature module 48, a quality of service (QoS) module 54, a policy control enforcement function (PCEF) module 56, and a memory element 34. Communication system 10 may also include a policy and charging rules function (PCRF) element 40, which includes a packet mapping module 42, a processor 44, and a memory element 46. Additionally, communication system 10 includes a server 60, which may provide content or services sought by subscriber 12.

Communication system 10 may include a configuration capable of transmission control protocol/internet protocol (TCP/IP) communications for the transmission and/or reception of packets in a network. Communication system 10 may also operate in conjunction with a user datagram protocol/IP (UDP/IP) or any other suitable protocol where appropriate and based on particular needs. Communication system 10 may be generally configured or arranged to represent a 2G, a 2.5G, or a 3 G communication architecture applicable to a Global System for Mobile (GSM) environment in accordance with a particular embodiment of the present disclosure. Communication system 10 may also be configured to operate with any version of any suitable GPRS tunneling protocol.

For purposes of illustrating certain example techniques of communication system 10, it is important to understand the communications that may be traversing the network and which can offer clues about the devices being employed by a given subscriber. The following foundational information may be viewed as a basis from which the present disclosure may be properly explained. Service providers would like to be able to identify the source operating system (OS) for subscriber devices on the network. Once the operating system is known, service providers can identify which devices are attached to their network and, with that information, control policies associated with particular subscribers. A problem surfaces when subscribers latch onto a network with various types of devices: some of which may consume an inappropriate amount of bandwidth. Stated in different terms, some devices that are unauthorized may attach to the service provider's network. In more specific instances, certain devices may fall outside a user agreement between the subscriber and the service provider. In one sense, subscribers can circumvent policies by changing their devices at the point of attachment to the network. For example, a mobile service provider may have an agreement that only accommodates mobile phones for the network. Certain subscribers may choose to attach laptops, desktop machines, or various other devices to the network and these devices (e.g., per the terms of the policy) should not be provided with network connectivity.

Communication system 10 can resolve this issue by identifying the operating system associated with incoming flows. This can be achieved by evaluating packets being sent from particular subscriber devices. Through analyzing packets, the underlying operating system can reveal data indicative of the particular device being employed by the subscriber. For example, certain transmission control protocol (TCP) headers may be used to identify a particular operating system (e.g., WINDOWS, Linux, MAC, etc.). In other instances, specific packet options, flags, or IP header information may be identified in order to discern an associated operating system. Any number of additional characteristics may be gleaned in order to make an intelligent assessment of a given operating system. Thus, by understanding certain characteristics of particular operating systems, an intelligent identification of devices can be made based on corresponding packet flows. Some of these possible packet characteristics are discussed below and, further, illustrated in an example table of FIG. 4.

In one example implementation of communication system 10, attribute-value pairs (AVPs) can be used for various types of triggers, which can be set (i.e., identified) to monitor subscriber flows for particular events. Examples of potential triggers (i.e., parameters) can be associated with per-user volume thresholds, per-user time thresholds, or any other suitable characteristic associated with the flow. The AVPs can be modeled similar to charging rule trigger AVPs, which can take various forms. In one example embodiment, KUT 26 can provide an application program interface (API) for determining if the parameters (e.g., criteria) for generating a TCP signature message are present. This includes monitoring the thresholds associated with these parameters. If a message is to be generated, the API can also provide a mechanism for extracting the required bytes from the triggering packet. In one example, the activities for TCP signature message generation include: 1) a TCP signature trigger being set for the subscriber; 2) a current packet being received from the subscriber; and 3) the current packet being a TCP packet with the SYN bit set.

In one particular example, the operations outlined herein can apply to a Gx architecture. Gx represents a third generation partnership project (3GPP) Diameter application. In a Gx-enabled network, a Gx reference point can be located between PCRF element 40 and PCEF module 56. The Gx reference point can be used for charging and policy control by applying AVPs relevant to the application. Service gateway 14 can provide policy control via the Gx interface. Before turning to some of the operations of this architecture, a brief discussion is provided about some of the infrastructure of FIG. 1.

Subscriber 12 can be associated with clients, customers, or end users wishing to initiate a communication in communication system 10 via some network. The term ‘subscriber’ is inclusive of devices used to initiate a communication, such as a computer, a personal digital assistant (PDA), a laptop or electronic notebook, a cellular telephone, an iPhone, an IP phone, or any other device, component, element, or object capable of initiating voice, audio, video, media, or data exchanges within communication system 10. Subscriber 12 may also be inclusive of a suitable interface to the human user, such as a microphone, a display, or a keyboard or other terminal equipment. Subscriber 12 may also be any device that seeks to initiate a communication on behalf of another entity or element, such as a program, a database, or any other component, device, element, or object capable of initiating an exchange within communication system 10. Data, as used herein in this document, refers to any type of numeric, voice, video, media, or script data, or any type of source or object code, or any other suitable information in any appropriate format that may be communicated from one point to another.

Service gateway 14 and PCRF element 40 are network elements that facilitate service flows between endpoints and a given network (e.g., for networks such as those illustrated in FIG. 1). As used herein in this Specification, the term ‘network element’ is meant to encompass routers, switches, gateways, bridges, loadbalancers, firewalls, servers, processors, modules, or any other suitable device, component, element, or object operable to exchange information in a network environment. The network elements may include a packet signature module 48 and packet mapping module 42 to support the activities associated with reporting packet signatures associated with particular flows, as outlined herein. Moreover, the network elements may include any suitable hardware, software, components, modules, interfaces, or objects that facilitate the operations thereof. This may be inclusive of appropriate algorithms and communication protocols that allow for the effective exchange of data or information.

In one implementation, service gateway 14 and PCRF element 40 include software to achieve (or to foster) the signature reporting operations, as outlined herein in this Specification. Note that in one example, these network elements can have an internal structure (e.g., with a processor, a memory element, etc.) to facilitate some of the operations described herein. In other embodiments, these signature reporting features may be provided externally to these elements or included in some other network device to achieve this intended functionality. Alternatively, service gateway 14 and PCRF element 40 include this software (or reciprocating software) that can coordinate with each other in order to achieve the operations, as outlined herein. In still other embodiments, one or both of these devices may include any suitable algorithms, hardware, software, components, modules, interfaces, or objects that facilitate the operations thereof.

In a Gx-enabled network, service gateway 14 can act as a PCEF, either as part of an enhanced GGSN (eGGSN) node, where service gateway 14 and a GGSN are provided as separate cards in a given network element. Alternatively, service gateway 14 can be configured to operate as a standalone Gi-node, with interoperability from external GGSNs. In eGGSN mode, service gateway 14 can act as a Gx interface endpoint, while the GGSN manages packet data protocol (PDP) contexts. Service gateway 14 and a given GGSN can communicate with each other using a remote authentication dial in user service (RADIUS) protocol, or any other suitable protocol where appropriate. Other protocols to be used in such communications can include Diameter, service gateway interface (SGI), terminal access controller access-control system (TACACS), TACACS+, etc.

Service gateway 14 can offer basic Gx support with enhancements for per-user layer 7 rules, dynamic policy loading, and per-user service policies. In a Gi-node mode, a standalone service gateway 14 can act as a Gx interface endpoint. The Gi-node mode can support the same functions as the eGGSN mode. To enable Gx support for a particular subscriber, service gateway 14 can define a user profile and associate that profile with the subscriber. For example, the user profile can enable Gx for associated subscribers. The user profile can also define the actions that service gateway 14 can take if a PCRF fails. In addition, the user profile can define the mobile policy control and charging (MPCC) profile to be used by service gateway 14 when sending per-user credit control requests (CCRs) to PCRF element 40.

Service gateway 14 can determine that a user is a Gx user in several ways. For example, a given GGSN can send a RADIUS accounting start request or a RADIUS accounting interim request: both of which can indicate that the user is a Gx user. Alternatively, service gateway 14 can compare the access point name (APN) name in an attribute (e.g., a Called-Station-Id attribute) of the RADIUS accounting start against a configured list of APN names to determine that the user is a Gx user. In regards to dynamic loading of policies, service gateway 14 can dynamically load global contents, maps, policies, billing plans, and services from PCRF element 40. If configured to do so, service gateway 14 can dynamically load policies as it boots up (i.e. preloading of policies). Service gateway 14 also supports exporting the IP and TCP headers from a subscriber TCP SYN (or SYN-ACK) packet to PCRF element 40 via the Gx protocol. PCRF element 40 selectively initiates a per-user TCP signature trigger to request the TCP signature information. In specific embodiments, this relates to identifying a given operating system, as detailed herein. The subscriber can be identified as a Gx user to allow this reporting to PCRF element 40.

RAN 16 is a communication interface between subscriber 12 and SGSNs 18 a and 18 b. RAN 16 may comprise a base transceiver station and a base station controller in one embodiment. The communication interface provided by RAN 16 may allow data to be exchanged between subscriber 12 and any number of selected elements within communication system 10. RAN 16 may facilitate the delivery of a request packet generated by subscriber 12 and the reception of information sought by subscriber 12. RAN 16 is only one example of a communication interface between subscriber 12 and SGSNs 18 a and 18 b. Other suitable types of communication interfaces may be used for any appropriate network design and these may be based on specific communication architectures.

SGSNs 18 a, 18 b, and GGSNs 32 a, 32 b are communication nodes or elements that cooperate in order to facilitate a communication session involving subscriber 12. GGSNs 32 a-b are communication nodes operating in a GPRS environment that may be working in conjunction with multiple SGSNs 18 a and 18 b to provide a communication medium in a GPRS service network. GGSNs 32 a and 32 b can provide a GPRS tunneling protocol (GTP), any PDP authentication, authorization, and accounting (AAA) operations, and QoS RAN signaling. GPRS may support multiple internet communication protocols and may enable existing IP, point-to-point protocol (PPP), or any other suitable applications or platforms to operate over a given network.

IP network 20 represents a series of points or nodes of interconnected communication paths for receiving and transmitting packets of information that propagate through communication system 10. IP network 20 offers a communicative interface between subscriber 12 and selected GGSNs 32 a-b, and may be any local area network (LAN), wireless local area network (WLAN), metropolitan area network (MAN), wide area network (WAN), virtual private network (VPN), or any other appropriate architecture or system that facilitates communications in a network environment. IP network 20 may implement a UDP/IP connection and use a TCP/IP communication language protocol in particular embodiments of the present disclosure. However, IP network 20 may alternatively implement any other suitable communication protocol for transmitting and receiving data packets within communication system 10.

PCRF element 40 can be configured to initiate the TCP signature trigger using a subscriber credit control answer (CCA) or re-authorization request (RAR) message. Service gateway 14 can report the TCP signature of the next TCP flow in a subscriber credit control request-update (CCR-U) message. After the trigger is set, it can be cleared until it is initiated again by PCRF element 40. In one sense, a trigger being set or armed can mean that PCRF element 40 indicated to service gateway 14 that the next TCP-SYN for a given subscriber should be reported. At this juncture, there is a trigger set, but no TCP-SYN to report. PCRF element 40 is able to effectively disarm the trigger (i.e., disable the mechanism, or unset the feature) if it so chooses. If service gateway 14 sees the TCP-SYN for the subscriber and the trigger is still set, the trigger is disarmed and the TCP-SYN is reported. PCRF element 40 can then choose to set the trigger again to see the next TCP-SYN for the subscriber.

PCRF element 40 can be configured to act as a Diameter server and perform the following functions: 1) use the Gx interface to provision PCC rules to (and remove PCC rules from) PCEF module 56; 2) manage policy control decisions; 3) provide network control regarding the service data flow detection, QoS, and flow-based charging towards PCEF module 56; 4) receive session and media-related information from application functions (AFs); and 5) inform the AFs of traffic plane events.

PCEF module 56 can act as a Diameter client and perform the following functions: 1) use the Gx interface to send traffic plane events to PCRF element 40; 2) enforce policy, handle flow-based charging, control QoS and the handling of user plane traffic; 3) provide service data flow detection, counting for online and offline charging interactions; and 4) report changes in the status of service data flows. In a Gx-enabled network, the PCC rules can be used to: 1) detect a packet that belongs to a service data flow; 2) identify the service to which the service data flow contributes; and 3) provide applicable charging parameters and policy control for a service data flow. PCC rules can be dynamically provisioned by PCRF element 40 to PCEF module 56 over the Gx interface. Dynamic PCC rules can be dynamically generated in PCRF element 40. Dynamic PCC rules can be activated, modified, and deactivated at any time.

Loggen element 24 is a storage element operable to build billing records and communicate the billing records to a billing system based on information provided by KUT 26. Loggen element 24 may also operate to store data for later use and execute all formatting for billing records to be communicated to a billing system. Loggen element 24 may be implemented using hardware, software, or any other suitable element or object operable to store information and to generate a billing record to be communicated to a billing system. Loggen element 24 may generate logging records or billing records and additionally send messages to a billing system element associated with a change in SGSN.

KUT 26 is a data storage element that manages one or more correlations between the ID of subscriber 12 and a corresponding IP address. KUT 26 could be simply part of any memory element within service gateway 14. KUT 26 may also store information relating to billing, previously designated for subscriber 12, and the billing system may be invoked when additional information associated with subscriber 12 is communicated to service gateway 14. KUT 26 may be consulted as additional billing records are created in order to determine that a billing system should receive selected billing records. KUT 26 may also include an application program interface (API) that may be implemented in order to obtain user ID information for an IP address from a data flow.

KUT 26 is provided with the capability of mapping the source IP address (or any other subscriber 12 parameter) to a user ID. The user ID may be obtained from an external database, where appropriate, or any other suitable location. Alternatively, the user ID may be extracted from a RADIUS flow, a TACACS communication flow, a Diameter communication flow, or any other suitable communication protocol flow, communication session, or data exchange. The database may be populated at any suitable time and updated using any suitable mechanism, such as via the sniffing of RADIUS or TACACS flows.

Server 60 can be a web server offering content or services to any subscriber or group of subscribers. For example, server 60 could be any network element associated with www.ESPN.com or www.yahoo.com: both of which could offer content for their end users. Alternatively, server 60 can be any destination, location, or node that is sought to be accessed or used by subscriber 12. Server 60 may provide the requested service/content, or provide a portal, pathway, or gateway to another location that includes the desired data. In other embodiments, server 60 could simply be a data storage location or a processor that can store or deliver content or services to one or more subscribers 12.

Turning to FIG. 2, FIG. 2 is a simplified flow diagram 70 illustrating one example activity associated with communication system 10. This particular flow is associated with a TCP signature trigger establishment. Note that in terms of preconditions for this particular flow, a given subscriber can log onto the service provider network and initiate a TCP connection. In this particular example, the subscriber is allowed on the provider network and the subscriber represents a GX user. The subscriber initiates a connection for an allowed service.

In the following flow, the TCP signature trigger can be set (i.e., identified), and the TCP signature AVP can be sent to PCRF element 40. The scenario can be initiated when a subscriber logs into the service provider network and PCRF element 40 sets the TCP signature trigger for the user. At step one (and in the context of a GPRS example), the GGSN sends an accounting start (e.g., RADIUS accounting message) to service gateway 14. At step two, service gateway creates a KUT entry and sends a Policy Auth CCR-Initial to PCRF element 40 with the subscriber information. At step three, PCRF element 40 responds with a Policy Auth CCA-I that includes a trigger for a TCP Signature. Service gateway 14 can set a trigger for the TCP signature on the KUT entry. In one sense, service gateway 14 is indicating that if a certain criteria has been met for particular parameters, the gateway would like to be informed of that event.

Step four reflects the subscriber sending a SYN packet, where service gateway 14 forwards the SYN packet to the server at step five. At step six, the TCP signature trigger is executed and service gateway 14 sends a Policy Auth CCR-U to PCRF element 40 with a new AVP that contains the IP and TCP headers for the SYN packet. The trigger can harvest specific bits from the SYN packets. These bits can be sent back to PCRF element 40, which has the intelligence to map these characteristics to particular operating systems. That logical connection can then be used to make informed policy decisions, which can be sent to service gateway 14. In a general sense, OS-based policy decisions are made at PCRF element 40, where those decisions are executed by service gateway 14.

Note that in a network initiated flow, the TCP signature trigger could be initiated on the SYN-ACK from the subscriber. The IP and TCP headers included in the new AVP can come from the SYN-ACK. The TCP signature trigger is subsequently cleared after step six (e.g., to avoid unnecessarily flooding PCRF element 40 with data). At step seven, PCRF element 40 responds with a Policy Auth CCA-U message. In terms of the trigger, PCRF element 40 can send a specific AVP. For this particular user, service gateway 14 can monitor the flow for subsequent SYN packets. When a subsequent SYN packet is received by service gateway 14, a particular signature can be sent to PCRF element 40 in order to make an informed policy decision. As a general proposition, the trigger is indicating that monitoring should be done in case a particular event occurs for a particular subscriber.

This particular subscriber flow can be further analyzed in step six in order to intelligently identify the operating system being employed by this particular subscriber. This identification could involve some type of backend server, or a consultation with some particular database. In other instances, PCRF element 40 can perform this mapping by itself (e.g., using packet mapping module 42). In one particular example, a backend server is used to intelligently discern the operating system, and that particular server arrangement is discussed below with reference to FIG. 4.

It should also be noted that at step seven, any number of suitable responses could occur. In this particular example, service gateway 14 operates as an enforcement point for the policy decisions being executed by PCRF element 40. Thus, in one example, service gateway 14 is configured to operate as a PCEF element, which constantly interfaces with PCRF element 40 to receive/enforce policy decisions. PCRF element 40 can make its policy decisions based on rules that relate a subscriber to a particular policy, where that policy can be verified, affirmed, validated, or otherwise confirmed through an intelligent identification of the subscriber's operating system.

Where particular flows are not in conformity with the subscriber's policy, any number of responses can occur. For example, based on an identification of the operating system, service gateway 14 may choose to stop services for this particular subscriber. In other instances, service gateway 14 could block particular traffic for this subscriber. Other responses could include a continual monitoring or policing for this particular subscriber. In another instance, a response can trigger additional billing for this particular set of flows. Still other responses could include metering for this particular subscriber, or some type of redirection for this subscriber's flows. Such a redirection could include an indication for additional payment, or an indication that apprises the subscriber of potential charges for these particular flows. Another response could include adjusting, terminating, or otherwise managing a quality of service level for the subscriber's flow(s). Yet another response could include indicating to a corresponding SGSN to terminate this connection.

FIG. 3 is a simplified flow diagram 80 associated with an example embodiment of the present disclosure. The particular activity being depicted by FIG. 3 is associated with service gateway 14 and PCRF element 40. Note that PCRF element 40 may have some difficulty in identifying a subscriber's operating system. This could result in a small delay, or in other instances, PCRF element 40 may not be able to figure out the operating system for a particular flow. In such an instance, PCRF element 40 can signal this condition to service gateway 14. Thus, in addition to the CCA primitive described previously, there is also an RAR primitive, which is illustrated by FIG. 3.

In one particular example, PCRF element 40 can reinitiate the TCP signature trigger. In this instance, the subscriber has a KUT entry on service gateway 14. For the actual trigger, PCRF element 40 can send a RAR message with the TCP signature trigger. At step one, PCRF element 40 can send a policy install request that includes a TCP signature trigger. At step two, service gateway 14 can enable the TCP signature for the user and respond with a policy install ACK message (e.g., a resource allocation message, a reauthorization answer (RAA) message, etc.). The next TCP flow that is initiated for the user can result in a CCR with the TCP signature AVP. From this point, policy decisions can be made and ultimately enforced, as discussed herein.

FIG. 4 is a simplified block diagram of a server configuration 90 associated with an example implementation of communication system 10. FIG. 4 includes PCRF element 40, which is coupled to a server 92 that includes a processor 94 and a database 96. Within database 96 is a key 97, along with a table 98. Key 97 can describe a number of operating system characteristics, which are shown in table 98. For example, key 97 defines particular packet characteristics: some of which may provide an indication of a particular operating system being used (e.g., by the device being used by the subscriber). Some of these potential characteristics can include the TCP window size, the TCP option maximum segment size, the TCP option window scale, the IP time to live, the IP ‘do not fragment’ flag being set, the TCP option selective acknowledgment (SACK) permitted being true, the TCP option containing a no operation (NOP) indication, a TCP timestamp being present, a TCP WSS field being present, the TCP window scale field being present, an operating system number or name, etc. Any number of additional characteristics may be used in order to determine or to infer that packets are emanating from a particular type of device, processor, endpoint, etc. Aside from determining a given operating system, these packet characteristics can also be used to determine various other conditions, features, or qualities associated with particular communication flows.

In operation, server 92 can receive requests from PCRF element 40. Server 92 can then coordinate with its internal processor 94 and database 96 in order to make an intelligent decision about which operating system is being used by a subscriber. This determination may be influenced by the criteria specified within table 98. More specifically, table 98 may be configured with a number of parameters associated with particular operating systems. These parameters may be matched against incoming packets that are received from PCRF element 40. Once a suitable determination has been made in identifying an operating system, that information can be sent back to PCRF element 40. PCRF element 40 can then make informed policy decisions based on a proper identification of the operating system being employed by a given subscriber.

Note that in certain example implementations, the signature reporting (and operating system identification) functions outlined herein may be implemented by logic encoded in one or more tangible media (e.g., embedded logic provided in an application specific integrated circuit [ASIC], digital signal processor [DSP] instructions, software [potentially inclusive of object code and source code] to be executed by a processor, or other similar machine, etc.). In some of these instances, a memory element [as shown in FIG. 1] can store data used for the operations described herein. This includes the memory element being able to store software, logic, code, or processor instructions that are executed to carry out the activities described in this Specification. A processor can execute any type of instructions associated with the data to achieve the operations detailed herein in this Specification. In one example, the processor [as shown in FIG. 1] could transform an element or an article (e.g., data) from one state or thing to another state or thing. In another example, the activities outlined herein may be implemented with fixed logic or programmable logic (e.g., software/computer instructions executed by a processor) and the elements identified herein could be some type of a programmable processor, programmable digital logic (e.g., a field programmable gate array [FPGA], an erasable programmable read only memory (EPROM), an electrically erasable programmable ROM (EEPROM)) or an ASIC that includes digital logic, software, code, electronic instructions, or any suitable combination thereof.

In one example implementation, service gateway 14 and PCRF element 40 include software in order to achieve the signature reporting (and operating system identification) functions outlined herein. These activities can be facilitated by packet signature module 48 and/or packet mapping module 42. Both service gateway 14 and/or PCRF element 40 can include memory elements for storing information to be used in achieving the intelligent signature reporting and OS identification operations as outlined herein. Additionally, each of these devices may include a processor that can execute software or an algorithm to perform the intelligent signature reporting and OS identification activities as discussed in this Specification. These devices may further keep information in any suitable memory element [random access memory (RAM), ROM, EPROM, EEPROM, ASIC, etc.], software, hardware, or in any other suitable component, device, element, or object where appropriate and based on particular needs. Any of the memory items discussed herein (e.g., database, table, key, etc.) should be construed as being encompassed within the broad term ‘memory element.’ Similarly, any of the potential processing elements, modules, and machines described in this Specification should be construed as being encompassed within the broad term ‘processor.’ Each of the network elements can also include suitable interfaces for receiving, transmitting, and/or otherwise communicating data or information in a network environment.

Note that with the example provided above, as well as numerous other examples provided herein, interaction may be described in terms of two, three, or four network elements. However, this has been done for purposes of clarity and example only. In certain cases, it may be easier to describe one or more of the functionalities of a given set of flows by only referencing a limited number of network elements. It should be appreciated that communication system 10 (and its teachings) are readily scalable and can accommodate a large number of components, as well as more complicated/sophisticated arrangements and configurations. Accordingly, the examples provided should not limit the scope or inhibit the broad teachings of communication system 10 as potentially applied to a myriad of other architectures.

It is also important to note that the steps in the preceding flow diagrams illustrate only some of the possible signaling scenarios and patterns that may be executed by, or within, communication system 10. Some of these steps may be deleted or removed where appropriate, or these steps may be modified or changed considerably without departing from the scope of the present disclosure. In addition, a number of these operations have been described as being executed concurrently with, or in parallel to, one or more additional operations. However, the timing of these operations may be altered considerably. The preceding operational flows have been offered for purposes of example and discussion. Substantial flexibility is provided by communication system 10 in that any suitable arrangements, chronologies, configurations, and timing mechanisms may be provided without departing from the teachings of the present disclosure.

Although the present disclosure has been described in detail with reference to particular arrangements and configurations, these example configurations and arrangements may be changed significantly without departing from the scope of the present disclosure. For example, although the present disclosure has been described with reference to particular communication exchanges involving certain GGSN components, communication system 10 may be applicable to other protocols and arrangements such as any type of network access server (NAS), GPRS entry point, etc. Moreover, the present disclosure is equally applicable to various cellular and/or wireless technologies including CDMA, Wi-Fi, WiMax, etc. In addition, other example environments that could use the features defined herein include Pico and femto architectures, where an appropriate signature reporting (and operating system identification) would occur for one or more users. Moreover, although communication system 10 has been illustrated with reference to particular elements and operations that facilitate the communication process, these elements and operations may be replaced by any suitable architecture or process that achieves the intended functionality of communication system 10. 

What is claimed is:
 1. A method, comprising: receiving a request to initiate a communication flow; mapping a source IP address associated with the communication flow to a subscriber; determining a service level for the subscriber; identifying one or more parameters to be monitored for the communication flow; requesting a synchronization packet in response to a threshold being reached for at least one of the parameters; receiving the synchronization packet; extracting one or more bits from the synchronization packet, wherein the bits are attribute value pairs; determining an operating system associated with the communication flow using the one or more bits from the synchronization packet; and executing a policy decision based on the operating system associated with the communication flow and the service level for the subscriber, wherein the policy decision was received from a policy and charging rules function element.
 2. The method of claim 1, wherein the bits are sent to a next destination in response to the threshold being reached for at least one of the parameters, and wherein the parameters are associated with a selected one of a volume parameter and a time parameter.
 3. The method of claim 1, wherein executing the policy decision includes blocking traffic associated with the subscriber.
 4. The method of claim 1, wherein executing the policy decision includes initiating billing for the communication flow.
 5. The method of claim 1, wherein executing the policy decision includes redirecting the communication flow to a next destination.
 6. The method of claim 1, wherein executing the policy decision includes managing a quality of service level for the communication flow.
 7. The method of claim 1, wherein the bits are part of a selected one of a group of elements within the synchronization packet, the group of elements consisting of: a) a transmission control protocol (TCP) header; b) a packet option; c) a packet flag; d) a TCP field; and e) an IP header field.
 8. The method of claim 1, further comprising: establishing a trigger used to initiate a request for the synchronization packet, wherein the trigger was received from a policy and charging rules function element.
 9. The method of claim 8, wherein the trigger is a per-user volume threshold and the request for the synchronization packet is sent after the per-user volume threshold is met.
 10. Logic encoded in one or more tangible media that includes code for execution and when executed by a processor operable to perform operations comprising: receiving a request to initiate a communication flow; mapping a source IP address associated with the communication flow to a subscriber; determining a service level for the subscriber; identifying one or more parameters to be monitored for the communication flow; requesting a synchronization packet in response to a threshold being reached for at least one of the parameters; receiving the synchronization packet; extracting one or more bits from the synchronization packet, wherein the bits are attribute value pairs; determining an operating system associated with the communication flow using the one or more bits from the synchronization packet; and executing a policy decision based on the operating system associated with the communication flow and the service level for the subscriber, wherein the policy decision was received from a policy and charging rules function element.
 11. The logic of claim 10, wherein the bits are sent to a next destination in response to the threshold being reached for at least one of the parameters, and wherein the parameters are associated with a selected one of a volume parameter and a time parameter.
 12. The logic of claim 10, wherein executing the policy decision includes blocking traffic associated with the subscriber.
 13. The logic of claim 10, wherein executing the policy decision includes initiating billing for the communication flow.
 14. An apparatus, comprising: a memory element configured to store data, a processor operable to execute instructions associated with the data, and a packet signature module configured to: receive a request to initiate a communication flow; map a source IP address associated with the communication flow to a subscriber; determine a service level for the subscriber; identify one or more parameters to be monitored for the communication flow; request a synchronization packet in response to a threshold being reached for at least one of the parameters; receive the synchronization packet; extract one or more bits from the synchronization packet, wherein the bits are attribute value pairs; determine an operating system associated with the communication flow using the one or more bits from the synchronization packet; and execute a policy decision based on the operating system associated with the communication flow and the service level for the subscriber, wherein the policy decision was received from a policy and charging rules function element.
 15. The apparatus of claim 14, wherein the bits are sent to a next destination in response to the threshold being reached for at least one of the parameters, and wherein the parameters are associated with a selected one of a volume parameter and a time parameter.
 16. The apparatus of claim 14, further comprising: a policy control enforcement function (PCEF) module configured to block traffic associated with the subscriber in response to the operating system being determined.
 17. The apparatus of claim 16, wherein the PCEF module is further configured to: redirect the communication flow to a next destination in response to the operating system being determined.
 18. The apparatus of claim 14, further comprising: a quality of service module configured to manage a quality of service level for the communication flow.
 19. The apparatus of claim 14, further comprising: a known user table (KUT) element configured to use an application program interface (API) to determine if one or more thresholds associated with the parameters are reached.
 20. The apparatus of claim 14, further comprising: a policy and charging rules function configured to compare the bits to predetermined operating system characteristics to determine the operating system associated with the communication flow. 